What is a DMARC Policy?

A domain’s DMARC policy contains instructions for email receivers on how to handle emails that fail email authentication checks. The DMARC policy can specify three possible actions for failed emails: none, quarantine, and reject. DMARC policy at “reject” significantly minimizes the risk of domain abuse, brand impersonation, phishing, and spoofing attacks.

What Does a DMARC Policy Do?

A DMARC policy serves three primary purposes – the enforcement of email authentication protocols, establishing a reporting mechanism and protecting your emails against attacks. 

  1. Authentication Enforcement: A DMARC policy allows domain owners to specify how email receivers should handle emails that claim to originate from their domain but fail authentication checks (SPF and DKIM). The policy can instruct receivers to either quarantine or reject such emails. By enforcing authentication, DMARC helps prevent email spoofing and impersonation, as unauthorized emails are less likely to reach recipients’ inboxes.
  2. Reporting: A mechanism for email receivers to send reports back to the domain owners can be defined in your DMARC record, with information on authentication results of emails sent from the domain. These reports help in monitoring suspicious activities and improving email deliverability. 
  3. Protection: Your DMARC policy can stop CEO fraud, fake invoices, BEC attacks, the spread of ransomware, login credential thefts, and various other email fraud techniques.
authentication fails

Why do you need a DMARC Policy?

Your DMARC policy can protect you against a wide range of email-based attacks on your domain name. Email is the easiest way to use your brand for fraud. By impersonating your brand, hackers can send malicious phishing emails to your own employees and customers. This compromises security in your organization, and seriously harms your reputation. 

Enabling a DMARC policy for your domain acts as a shield against these email security breaches orchestrated by cybercriminals. 

You need an enforced DMARC policy at your organization to: 

  • Protect your brand’s image and reputation
  • Prevent the loss of confidential data
  • Prevent financial losses
  • Enhance email deliverability rate
  • Enhance your brand’s reliability among its partners and customer-base
  • Avoid legal risks
DMARC policy

What are the types of DMARC Policy?

The available DMARC policy options are none, quarantine, and reject, depending on the level of DMARC enforcement you want to opt for. Here, p is the parameter that specifies DMARC policy:

1. DMARC None Policy 

DMARC policy none (p=none) is a relaxed DMARC policy that is implemented during the initial implementation stages of DMARC to monitor email activities. It doesn’t provide any level of protection against cyberattacks. 

Example:  v=DMARC1; p=none; rua=mailto:[email protected];

2. DMARC Quarantine Policy

The quarantine policy (p=quarantine)  provides some level of protection as the domain owner can prompt the receiver to roll back emails into the spam folder to review later in case of DMARC fail

3. DMARC Reject Policy

Finally, the reject DMARC policy (p=reject) ensures that emails that fail authentication for DMARC are rejected and discarded by the receiver’s MTA, thereby providing max enforcement. 

Example:  v=DMARC1; p=reject; rua=mailto:[email protected];

Steps to setup your DMARC policy

dmarc policy

Step 1:

Enable SPF or DKIM for your domain by generating your free record.

dmarc policy

Step 2:

Create a DMARC record using our DMARC record generator tool. Make sure you fill in the DMARC p= parameter to define your DMARC policy like in the example blow: 

v=DMARC1; pct=100; p=reject; rua=mailto:[email protected];

dmarc policy

Step 3:

Publish this record on your DNS

Which DMARC policy should you use and why? 

The DMARC policy you use depends on the level of enforcement you desire and the purpose your policy will serve. Here are a few ways you can leverage your DMARC policy and its subsequent uses: 

  • To monitor your email channels

    If you simply want to monitor your email channels, a DMARC policy at p=none is enough. This policy will however not protect you against cyberattacks. 

  • To protect against Phishing and Spoofing Attacks

    If you want to protect your emails against phishing attacks and direct-domain spoofing, a DMARC policy of p=reject is imperative. It provides the highest level of DMARC enforcement and effectively minimizes impersonation attacks. 

  • To review suspicious emails before they are delivered

    If you don’t want to outright block unauthorized emails, instead, allow your receivers to review emails that fail authentication in their quarantine folder, a DMARC quarantine policy is your best bet.

dmarc policy

Which DMARC policy prevents spoofing?

A DMARC p=reject policy is the only DMARC policy that is effective in preventing spoofing attacks. This is because DMARC reject blocks unauthorized emails from reaching your receiver’s inbox, thereby stopping them from accepting, opening, and reading bad emails.

Is Opting for a DMARC Policy at Your Organization Enough

Is Opting for a DMARC Policy at Your Organization Enough?

No. Simply implementing a DMARC policy is not enough as a proper reporting mechanism and maintenance is required as well. PowerDMARC ensures that all of that is handled in the background.

Building on your DMARC policy with PowerDMARC

A smooth shift from p=none to p=reject DMARC policy

PowerDMARC’s extensive reporting mechanism offers 7 views and filtering mechanisms for your DMARC Aggregate reports on the DMARC analyzer dashboard to effectively monitor your email channels while on DMARC none.

Update and change your DMARC policy modes

Our hosted DMARC feature allows you to update your DMARC policy modes, shift to p=reject and monitor your protocol effectively and in real-time without entering your DNS management console.

White-glove Support

Our 24-hour active support team helps orchestrate a smooth transition from a relaxed to an enforced DMARC policy so as to maximize your security while ensuring deliverability.

Common DMARC policy errors & how to fix them?

Syntax Errors 

You should be wary of any syntax errors while setting up your record to make sure that your protocol functions correctly.

Configuration Errors

Errors while configuring the DMARC policy are common and can be avoided by using a DMARC checker tool.

DMARC sp Policy 

If you configure a DMARC reject policy, but set up your subdomain policies to none, you will not be able to achieve compliance on all your outbound emails.

dmarc record generator icon powerdmarcStart your email security journey with a DMARC policy that suits your company’s needs!